CAdES/PAdES/XAdES signing the same file with multiple signatures

I have been successfully signed files starting with Cades Bes up To Cades XL, Pades and PadesT (for pdf files) and also Xades and XadesT(for xml files).

What I'm trying to do next is signing the same files with multiple private keys using different pkcs11 tokens.

The signing operation seems quite simple.
1 - Create a message from the file stream.
2 - Add a signature to the message.
3 - Give the signature to the processor/handler.
4 - Sign it with the processor/handler.

Since the procedure involves adding signatures and deals with indexes, I assumed adding another signature would be simply to repeat steps 2-3-4 or even 2-3 and sign them all at once at the end on step 4.

But when I tried to repeat steps 2-3-4 twice (with the same private key by the way), it threw this:
PKCS#11 error CKR_FUNCTION_CANCELED in function C_Sign ---> SBPKCS11Base.EElPKCS11Error: PKCS#11 error CKR_FUNCTION_CANCELED in function C_Sign

When I tried repeating 2-3 and signing them all at once, it didn't throw any error but neither seem to work properly cuz I cannot see the it as signed in another application that I use to crosscheck. This 3rd party application successfully sees the signatures when I single sign the files.

What I am doing wrong? How can I sign the same file with multiple pkcs11 tokens at once?

Copy Pasting the answer from helpdesk just in case someone else might need the answer.

Quote

Hi Kadir,

In general, your understanding is correct. In most cases several parallel signatures can be added to the same document in iterative way, by adding signatures one after another. However, in certain more complicated scenarios you might need to close and re-open the document between signing operations, as a subsequent signature might need to know the exact binary representation of the document from the previous step (and you can't get that without serializing the document). This particularly concerns some types of PDF and AdES documents.

As for your particular problem, it seems to be specific not to the signing code itself but to some constraints of the hardware device. It might be that the device can't use the same private key within the same session twice and throws an exception on the second signing attempt. We saw similar behavior in the past with some HSMs. The straightforward solution would be to close the storage and open it again for the next signing.

What I suggest you to do (it's the most robust way of achieving your goal) is to encapsulate the signing logic in one method that will do the whole job from the start to the end (schematically):

Opening and closing the storage for each signature operation worked perfect. thanks :)

I didn't close the file between signatures, After creating the signatures, I just saved the resulting signed file to a stream.

I also tried opening and closing the file for each signature but that way, it signs a "signed document". I do not know if this the valid case for serial signings. But I'll keep that in mind for PDF and XML signature operations.